Signed VSTO Deployed with ClickOnce Showing "Unknown Publisher"

Question

I have a production VSTO Add-In that is deployed using ClickOnce. For most of my customers, the installation works fine and the Microsoft Office Customization Installer is able to pick up my company as the publisher like so:

But for some reason, on some computers, the publisher is shown as "Unknown Publisher", like this:

I've tried manually installing our certificate to the user's trusted publishers store, installing the intermediate cert, and the trusted root cert, but in some instances the installer STILL shows "Unknown Publisher". This is extremely frustrating because some of our clients have security policies require Office Add-Ins to be signed by a trusted publisher, and our add-in will not load even after they click install. Instead they are presented with this lovely message:

Here are some details about my add-in project properties:

• Project is built on .NET Framework 4.6.1
• I have a valid certificate issued from Sectigo
• The certificate is installed in my personal certificates store
• I've chosen to sign the ClickOnce manifest and pointed it to my certificate

Any idea what causes this on certain machines, and how to fix it?

Note - Some of the machines that are experiencing this issue are in "closed areas" (no outside internet connection). Not sure if that makes a difference or not.

Answer 1

even if the question is surely already answered. The solution that work pretty well for me is to simply right click the setup.exe and go to the properties, digital signatures to install the certificat to your trusted root authorities.

Answer 2

If you encounter the "Unknown Publisher" message it can also indicate that the end-user is blocking the certificate certificate revocation list (CRL) URL. IF the CRL can not be access, Windows can not tell weather the certificate should be invalidated and asks the user for confirmation. You can find the specific CRL link by opening your certificate and looking trough the properties.